Bringing GRC Federation into IT Security

Balancing coordination of shared IT, security and GRC data and resources and services with distributed business unit management of GRC to provide more centralized oversight.

Federation also requires both organization and role-based access that permits users from a federated unit to see only that which they are authorized to see, yet allows those in centralized functions access to rolled-up information across all units. A GRC technology platform that supports federation will be able to consolidate and rationalize information and processes in a way that single solutions cannot.

Furthermore, a federated GRC platform has the capability to reach into the technology eco-system and pull information in and send information back out to business, IT and security monitoring systems in order to provide a near-real-time view of risk and compliance – whether that data be unstructured or structured. Having actionable information all in one place means the organization can slice and dice information to provide analytics and true insights into when, why, and how to take on risk. The capabilities of a GRC platform that truly support federation are necessary in order to move up the maturity curve to GRC intelligence.

What is federated GRC?

GRC, by definition, involves bringing together governance, risk and compliance disciplines from across an increasingly complex, extended enterprise with deep interlocks to customer and supplier eco-systems. While it’s not realistic to expect organizations to converge on a common set of GRC processes across this complex landscape, there is huge value in taking a federated approach to GRC that leverages the common risk elements from each business unit, IT and security teams, and management of third parties.

Building a federated GRC capability involves understanding the information architecture and processes that are critical to improving business performance, lowering risk exposure, and ensuring compliance with policies and regulations across the entire organization and its vendor communities. It’s important to engage stakeholders from different business units and collaboratively define what needs to be common, versus what can, or must remain federated, but rationalized through a roll-up in the context of the organization as a whole – its strategic objectives, its legal obligations and its risk appetite.

The degree of federation that makes sense will be very tightly tied to the operating model, and will reflect the reporting requirements and decision-making authority that resides within each unit. For example, a highly distributed organization with very distinct businesses may require a broader degree of federation than a global organization that is highly regulated, and therefore requires greater consistency and predictability across the business. Federation requires an understanding of your organization, its natural structure, and its objectives in order to strike the right balance.

Yo Delmar, vice president, MetricStream, has identified steps organizations can take to establish an integrated GRC and security approach using a "federated" model.

To protect the company from those insiders who abuse their privileged access and from hackers with stolen credentials, many companies are turning to a privileged access management (PAM) solution. ... More >>